SECURITY MONITORING OF NETWORK CONNECTIONS USING METRICS DATA

US 20180219879A1
Filed: 01/27/2017
Published: 08/02/2018
Est. Priority Date: 01/27/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

analyzing network traffic data for a network connection associated with a computing device;

identifying one or more network traffic metrics for the network connection based on the network traffic data;

determining that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics;

detecting a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile; and

initiating a mitigation action with respect to the network connection in response to detecting the potential security threat.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the present invention set forth techniques for security monitoring of a network connection, including analyzing network traffic data for a network connection associated with a computing device, identifying one or more network traffic metrics for the network connection based on the network traffic data, determining that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics, detecting a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile, and initiating a mitigation action with respect to the network connection in response to detecting the potential security threat. Advantageously, the techniques allow detecting potential security threats based on network traffic metrics and categorizations, without requiring monitoring of the content or the total volume of all traffic exchanged via the connection.

114 Citations

View as Search Results

30 Claims

1. A computer-implemented method, comprising:
- analyzing network traffic data for a network connection associated with a computing device;
  
  identifying one or more network traffic metrics for the network connection based on the network traffic data;
  
  determining that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics;
  
  detecting a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile; and
  
  initiating a mitigation action with respect to the network connection in response to detecting the potential security threat.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-implemented method of claim 1, wherein the network traffic data comprises one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity within an information technology infrastructure that includes the computing device.
  - 3. The computer-implemented method of claim 1, wherein identifying the one or more network traffic metrics comprises at least one of:
    - computing a symmetry metric indicating a degree to which a first number of data bytes transmitted via the network connection in a first direction exceeds a second number of data bytes transmitted via the network connection in a second direction;
      
      computing a responsiveness metric indicating a degree of responsiveness associated with one or more computing devices exchanging data via the network connection; and
      
      computing an efficiency metric indicating a degree of efficiency associated with the one or more computing devices transmitting data via the network connection.
  - 4. The computer-implemented method of claim 3, wherein the symmetry metric is computed by:
    - dividing the first number of bytes transmitted via the network connection in the first direction by a total number of bytes exchanged via the network connection to produce a first fraction; and
      
      subtracting a first value from a second value representative of the first fraction to produce the symmetry metric.
  - 5. The computer-implemented method of claim 3, wherein the efficiency metric represents an average size of a packet exchanged via the network connection.
  - 6. The computer-implemented method of claim 3, wherein the responsiveness metric represents a number of packets exchanged per second via the network connection.
  - 7. The computer-implemented method of claim 3, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a transfer profile by determining that the symmetry metric has at least a first threshold value and that the efficiency metric has at least a second threshold value, and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to the transfer profile.
  - 8. The computer-implemented method of claim 3, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a human profile by determining that the symmetry metric does not exceed a first threshold value, that a duration metric indicating a duration of the network connection has at least a second threshold value, and that the responsiveness metric has less than a third threshold value.
  - 9. The computer-implemented method of claim 3, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a reverse profile by determining that the symmetry metric indicates that the first number of data bytes transmitted via the network connection in the first direction exceeds the second number of data bytes transmitted via the network connection in the second direction by at least a first threshold ratio, and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to the reverse profile.
  - 10. The computer-implemented method of claim 1, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a probe profile by determining that a number of packets exchanged via the network connection is less than a first threshold value, and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to a probe profile.
  - 11. The computer-implemented method of claim 1, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile, and detecting the potential security threat for the network connection comprises determining that the network connection no longer corresponds to the first profile.
  - 12. The computer-implemented method of claim 1, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile by determining that each network traffic metric included in the one or more network traffic metrics meets a predetermined range associated with the network traffic metric, and detecting the potential security threat for the network connection comprises determining that at least one network traffic metric no longer meets the predetermined range associated with the at least one network traffic metric.
  - 13. The computer-implemented method of claim 1, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile by determining that each network traffic metric included in the one or more network traffic metrics meets a predetermined range associated with the network traffic metric, and detecting the potential security threat for the network connection comprises determining that at least one network traffic metric has varied by at least a first threshold amount.

14. A non-transitory computer-readable storage medium including instructions that, when executed by a processor, cause the processor to identify attack behavior based on scripting language activity, by performing the steps of:
- analyzing network traffic data for a network connection associated with a computing device;
  
  identifying one or more network traffic metrics for the network connection based on the network traffic data;
  
  determining that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics;
  
  detecting a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile; and
  
  initiating a mitigation action with respect to the network connection in response to detecting the potential security threat.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the network traffic data comprises one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity within an information technology infrastructure that includes the computing device.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein identifying the one or more network traffic metrics comprises at least one of:
    - computing a symmetry metric indicating a degree to which a first number of data bytes transmitted via the network connection in a first direction exceeds a second number of data bytes transmitted via the network connection in a second direction;
      
      computing a responsiveness metric indicating a degree of responsiveness associated with one or more computing devices exchanging data via the network connection; and
      
      computing an efficiency metric indicating a degree of efficiency associated with the one or more computing devices transmitting data via the network connection.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a transfer profile by determining that the symmetry metric has at least a first threshold value and that the efficiency metric has at least a second threshold value, and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to the transfer profile.
  - 18. The non-transitory computer-readable storage medium of claim 16, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a reverse profile by determining that the symmetry metric indicates that the first number of data bytes transmitted via the network connection in the first direction exceeds the second number of data bytes transmitted via the network connection in the second direction by at least a first threshold ratio—
    - and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to the reverse profile.
  - 19. The non-transitory computer-readable storage medium of claim 14, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a probe profile by determining that a number of packets exchanged via the network connection is less than a first threshold value, and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to a probe profile.
  - 20. The non-transitory computer-readable storage medium of claim 14, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile, and detecting the potential security threat for the network connection comprises determining that the network connection no longer corresponds to the first profile.
  - 21. The non-transitory computer-readable storage medium of claim 14, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile by determining that each network traffic metric included in the one or more network traffic metrics meets a predetermined range associated with the network traffic metric, and detecting the potential security threat for the network connection comprises determining that at least one network traffic metric no longer meets the predetermined range associated with the at least one network traffic metric.
  - 22. The non-transitory computer-readable storage medium of claim 14, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile by determining that each network traffic metric included in the one or more network traffic metrics meets a predetermined range associated with the network traffic metric, and detecting the potential security threat for the network connection comprises determining that at least one network traffic metric has varied by at least a first threshold amount.

23. A computing device, comprising:
- a memory that includes a security monitoring program; and
  
  a processor that is coupled to the memory and, when executing the security monitoring program, is configured to;
  
  analyze network traffic data for a network connection associated with a computing device;
  
  identify one or more network traffic metrics for the network connection based on the network traffic data;
  
  determine that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics;
  
  detect a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile; and
  
  initiate a mitigation action with respect to the network connection in response to detecting the potential security threat.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The computing device of claim 23, wherein the network traffic data comprises one or more events, each event being associated with a different timestamp and including raw machine data reflective of activity within an information technology infrastructure that includes the computing device.
  - 25. The computing device of claim 23, wherein identifying the one or more network traffic metrics comprises at least one of:
    - computing a symmetry metric indicating a degree to which a first number of data bytes transmitted via the network connection in a first direction exceeds a second number of data bytes transmitted via the network connection in a second direction;
      
      computing a responsiveness metric indicating a degree of responsiveness associated with one or more computing devices exchanging data via the network connection; and
      
      computing an efficiency metric indicating a degree of efficiency associated with the one or more computing devices transmitting data via the network connection.
  - 26. The computing device of claim 25, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a transfer profile by determining that the symmetry metric has at least a first threshold value and that the efficiency metric has at least a second threshold value, and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to the transfer profile.
  - 27. The computing device of claim 25, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a reverse profile by determining that the symmetry metric indicates that the first number of data bytes transmitted via the network connection in the first direction exceeds the second number of data bytes transmitted via the network connection in the second direction by at least a first threshold ratio—
    - and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to the reverse profile.
  - 28. The computing device of claim 23, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a probe profile by determining that a number of packets exchanged via the network connection is less than a first threshold value, and wherein detecting the potential security threat for the network connection comprises determining that the network connection corresponds to a probe profile.
  - 29. The computing device of claim 23, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile, and detecting the potential security threat for the network connection comprises determining that the network connection no longer corresponds to the first profile.
  - 30. The computing device of claim 23, wherein determining that the network connection corresponds to the at least one network connection profile comprises determining that the network connection corresponds to a first profile by determining that each network traffic metric included in the one or more network traffic metrics meets a predetermined range associated with the network traffic metric, and detecting the potential security threat for the network connection comprises determining that at least one network traffic metric no longer meets the predetermined range associated with the at least one network traffic metric.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Splunk Inc.
Original Assignee
Splunk Inc.
Inventors
Pierce, John Clifton

Granted Patent

US 10,673,870 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 41/142   using statistical or mathem...

H04L 43/0888   Throughput

H04L 43/0894   Packet rate

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

SECURITY MONITORING OF NETWORK CONNECTIONS USING METRICS DATA

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

114 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

SECURITY MONITORING OF NETWORK CONNECTIONS USING METRICS DATA

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links